With Active Directory Domain Services (AD DS) you can use delegate administrative tasks to specific OU users or groups. For example, if you want that one group in your OU can delegate control to create/delete/manage accounts, while another group can delete control to create/delete/manage groups, it is quite possible with Delegate Control.
The best practice to apply Delegate Control is for the security group and not individual users. Because you can create a security group and allow delegate control to it with common task. Then the users in this group will have the applied delegate control. If you want another users that should have these controls, you can add them to the security group.
If you’ve already created your security group, here is how you can use apply Delegate Control on it.
How To Use Delegate Control In Active Directory
1. Open Active Directory Users and Computers by running dsa.msc command.
2. In Active Directory Users and Computers window, expand your domain and right click on either Users or the OU where you want to delegate permissions and select Delegate Control option.
3. In the Delegation of Control Wizard window, click Next and then you’ll be asked to add the users or group you want to delegate control. Click on Add button and locate the required users/groups.
4. As you can see in below screenshot, we’ve added the security group to delegate control so we’ll now hit Next.
5. Then we need to select some of the common tasks to delegate. If the task you want isn’t listed, use the Create a custom task to delegate option.
6. Finally, click on Finish button and this will complete Delegation of Control Wizard. Your selected delegated task should be now applied to your selected groups/users.
You can now exit the Active Directory Users and Computers window, if you like.
That’s it!
Related: How To Remove Delegate Control In Active Directory.
